SA-1996.03.txt
41833f86da7589d94287daa5073319153d6587ce281c37b620f4bf7d050e21fa
Subject: Caldera Security Advisory 96.03: Vulnerability in the dip program
Caldera Security Advisory SA-96.03
July 8th, 1996
Topic: Vulnerability in the dip program
I. Problem Description
The dip program manages the connections needed for dial-up
links such as SLIP and PPP. It can handle both incoming and
outgoing connections. To gain access to resources it needs to
establish these IP connections, the dip program is often installed
as set-user-id root.
A vulnerability in dip makes it possible to overflow an internal
buffer whose value is under the control of the user of the dip
program. If this buffer is overflowed with the appropriate data,
a program such as a shell can be started. This program then runs
with root permissions on the local machine.
Exploitation scripts for dip have been found running on Linux
systems for X86 hardware. Although exploitation scripts for other
architectures and operating systems have not yet been found,
we believe that they could be easily developed.
II. Impact
On systems such as CND 1.0 and Red Hat 2.1 that have dip installed
set-user-id root, an unprivileged user can obtain root access.
III. Solution / Workaround
A simple workaround is to disable the SUID root bit:
chmod 755 /usr/sbin/dip
If you must run dip SUID root, place it in a group where it can
only be executed by trusted users.
CND 1.0 and Red Hat 2.1 shipped with dip-3.3.7n-2.i386.rpm. Version
dip-3.3.7n-3.i386.rpm has the SUID root bit disabled and is available
via FTP from:
ftp://ftp.caldera.com/pub/cnd-1.0/updates/dip-3.3.7n-3.i386.rpm
or the directory
old-releases/redhat-2.1/i386/updates/RPMS
from Red Hat or one of its mirror sites:
ftp.redhat.com:/pub
ftp.caldera.com:/pub/mirrors/redhat
The MD5 checksum (from the "md5sum" command) for this RPM is:
3c94852a8fb636aa9b5407cae155e2ae dip-3.3.7n-3.i386.rpm
Note that this problem was announced in January 1996. It has regained
attention since CERT finally issued an advisory for this problem
today. Code to exploit this problem has also been publicly
reposted today.
Another option (untested at Caldera) is to install
dip-3.3.7o-4.i386.rpm
found in the directory
contrib/RPMS
from Red Hat or one of its mirror sites. Its MD5 checksum is:
cbd0005199be7038e2b09f70473d59ba dip-3.3.7o-4.i386.rpm
Note that this RPM is in RPM 2.0 format and is not readily usable
with CND 1.0.
IV. References
CERT advisories:
ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
ftp://info.cert.org/pub/cert_advisories/CA-96.13.dip_vul
This and other Caldera security resources:
http://www.caldera.com/tech-ref/cnd-1.0/security/